CVE-2025-57156
Published: 20 January 2026
Summary
CVE-2025-57156 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Owntone Owntone Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 39.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).
Deeper analysis
CVE-2025-57156 is a NULL pointer dereference vulnerability in the dacp_reply_playqueueedit_clear function within src/httpd_dacp.c of owntone-server, affecting the software through commit 6d604a1, a newer commit after version 28.12. Published on 2026-01-20, this issue falls under CWE-476 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its high-impact potential on availability without compromising confidentiality or integrity.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required, triggering the NULL pointer dereference to crash the owntone-server process and cause a denial of service.
Mitigation is addressed in commit 5e4d40ee03ae22ab79534bb1410fa9db96c9fabd on the owntone-server GitHub repository. Further details on the vulnerability and remediation are provided in the Archer Security advisory at https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md and GitHub issue #1907 at https://github.com/owntone/owntone-server/issues/1907.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3337
Vulnerability details
NULL pointer dereference in the dacp_reply_playqueueedit_clear function in src/httpd_dacp.c in owntone-server through commit 6d604a1 (newer commit after version 28.12) allows remote attackers to cause a Denial of Service (crash).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
NULL pointer dereference enables remote unauthenticated exploitation to crash the server process, directly matching application exploitation for endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the NULL pointer dereference by requiring timely remediation through patching as provided in commit 5e4d40ee.
Validates information inputs to the dacp_reply_playqueueedit_clear function in httpd_dacp.c to prevent malformed remote requests from triggering the NULL dereference.
Protects against the unauthenticated remote denial-of-service attack by limiting the effects of crashes through traffic filtering or rate limiting.